;;; guix-config --- additional software for a custom configuration of gnu-guix
;;; Copyright © 2020 Kolya <kolya.daemon@vfemail.net>
;;;
;;; This file is part of guix-config
;;;
;;; guix-config is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; guix-config is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (kolyad etc workstation)
  #:use-module (gnu system accounts)
  #:use-module (guix gexp)
  #:use-module (guix utils)
  #:use-module (srfi srfi-1)
  #:export (subid-file
            %sudoers-file
            %wpa-supplicant-conf-file
            %nftables-ruleset-file
            %kresd-conf-file
            %kolyad-motd-file
            %syslog-conf-file))

;;
;; subuid, subgid
;;
(define* (subid-file name start range accounts)
  "Function to define the files following the subgid and subuid file formats"
  (let ((user-accounts (filter
                         (lambda (account)
                           (string=? (user-account-group account) "users"))
                         accounts)))
    (plain-file name
      (apply string-append
        (let loop ((id start)
                   (users user-accounts))
          (if (null? users)
            '()
            (cons
              (format #f "~a:~a:~a~%"
                      (user-account-name (car users))
                      id
                      range)
              (loop (+ id range) (cdr users)))))))))

;;
;; sudoers
;;

(define %sudoers-file (plain-file "sudoers"
"Cmnd_Alias POWER=/run/current-system/profile/sbin/shutdown,\
                  /run/current-system/profile/sbin/halt,\
                  /run/current-system/profile/sbin/reboot
Defaults insults
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL, (root) NOPASSWD: POWER
"))

;;
;; wpa_supplicant
;;

(define %wpa-supplicant-conf-file (plain-file "wpa_supplicant.conf"
"#Config File for wpa-supplicant
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
update_config=1
#ap_scan=1

# Wireless Card stuff - may not work with shitty sta driver
auto_uuid=1
serial_number=3141592653
mac_addr=1
preassoc_mac_addr=1
"))

;;
;; nftables
;;

(define %nftables-ruleset-file (plain-file "nftables.conf"
"flush ruleset

define LOCAL = {
  192.168.0.0/16,
  127.0.0.0/8
}

table inet filter {
  chain output {
    type filter hook output priority filter; policy accept;
  }

  chain forward {
    type filter hook forward priority filter; policy drop;
  }

  chain input {
    #Set priority -1 (filter - 1) so that it precedes any iptables hooks.
    type filter hook input priority -1; policy drop;

    #drop invalid packets
    ct state invalid log level warn prefix \"Recieved invalid packet: \" counter drop

    #accept connections already made
    ct state {established, related} accept

    #accept packets to loopback
    meta iif lo accept

    #drop connections to loopback not coming from loopback
    meta iif != lo ip  daddr 127.0.0.1/8 counter drop
    meta iif != lo ip6 daddr ::1/128     counter drop

    #necessary ip6 icmp fuctionality
    ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert} counter accept

    #accept packets to ssh
    tcp dport 22 ct state new log level notice prefix \"New SSH connection: \" counter accept
    udp dport 22 ct state new log level notice prefix \"New SSH connection: \" counter accept

    #count all dropped packets
    counter
  }
}
"))

;;
;; Knot Resolver
;;

(define %kresd-conf-file (plain-file "kresd.conf"
"--Knot DNS Resolver configuration in -*- lua -*-
net = { '127.0.0.1', '::1' }
user('knot-resolver', 'knot-resolver')

cache.size = 1*GB

modules = {
  'policy',
  'view',
  'hints',
  'serve_stale < cache',
  'workarounds < iterate',
  'stats',
  'predict'
}

--DNS over TLS for uncached queries
--Requires nss-certs
policy.add(policy.all(policy.TLS_FORWARD({
  {'2620:fe::fe', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt'},
  {'9.9.9.9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt'},
  {'2620:fe::9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt'},
  {'149.112.112.112', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt'}
})))

--Prefetch learned
predict.config({window = 20, period = 72})"))

;;
;; motd
;;

(define %kolyad-motd-file 
  (canonicalize-path (string-append (current-source-directory) "/aux-files/workstation/kolyad-motd" )))

;;
;; syslogd
;;

(define %syslog-conf-file
   (plain-file "syslog.conf" "
# Log all error messages, authentication messages of
# level notice or higher and anything of level err or
# higher to the console.
# Don't log private authentication messages!
*.alert;auth.notice;authpriv.none       /dev/console

# Log anything (except mail) of level warning or higher.
# Don't log private authentication messages!
*.warn;mail.none;authpriv.none          /var/log/messages

## Like /var/log/messages, but also including \"debug\"-level logs.
#*.debug;mail.none;authpriv.none         /var/log/debug

# The authpriv file has restricted access.
authpriv.*                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                  /var/log/maillog
"))
;;; vim: set expandtab tabstop=2 shiftwidth=2
;;; end of file workstation-config-files.scm
